System and method for determining a computer user profile from a motion-based input device

ABSTRACT

The present invention provides a system and methods for computer user profiling based on behavioral biometrics. The approach consists of establishing distinctive profiles for computer users based on how they use a motion-based input device such as, but not limited to, a mouse and/or a keyboard. The profiles computed in the present invention are more accurate than those obtained through the traditional statistical profiling techniques, since they are based on distinctive biological characteristics of users.

FIELD OF THE INVENTION

The invention relates to user profiling of computers based on behavioralbiometrics. More specifically, the invention relates to mouse andkeystroke-based computer user profiling for security purposes.

BACKGROUND OF THE INVENTION

The increasing reliance of modern societies and economies on computinginfrastructures raises the needs of highly secure and dependablecomputing technologies. Recent widely publicized security incidents suchas the slammer worn have established how vulnerable several criticalaspects of our social and economical life have become because ofincreased computerization.

Computer security has also become increasingly important because of thelarge number of security breaches in individual businesses, and the costof those breaches to the businesses. In a recent survey (2003), it wasreported that the total annual financial losses to the respondents were$201.,797,340. This figure could actually be worse since only 251 out ofthe 530 participants (47%) reported their losses. The survey also showsother compelling statistics: 92% of the respondents detected attacksduring the last 12 months while 75% of the respondents acknowledgedfinancial losses due to security breaches. As mentioned above, only 47%reported their losses.

Many organizations address security from three different perspectives:prevention, detection, and reaction. Apparently, 99% of the respondentsto a survey use a mixture of various technologies to protect theirsystems. For example, more than 90% use prevention technologies such asfirewall, access control, and physical security. Also, 73% use intrusiondetection systems.

One form of protection is password protection. It is a well-establishedfact that traditional passwords are not safe anymore. Passwords may bestolen or may be cracked using the so-called dictionary attack.

Another technology used by corporations to protect their networks isfirewalls. Firewall technology has been used to protect and isolatesegments of networks from untrusted networks by filtering out harmfultraffic. There are several limitations to firewall technologies thatresult in them being relatively poor choices for strong networkprotection. There have been several widely publicized exploits wherebyhackers have gained access to sensitive data by tunneling throughauthorized protocols. In order to provide a higher level of security,most organizations combine firewalls with a range of security monitoringtools called intrusion detection systems (IDS).

Intrusion Detection

The role of IDS is to monitor and detect computer and network intrusionsin order to take appropriate measures that would prevent or avoid theconsequences. The Internet is a wild zone, where new forms of securityattacks are developed and executed daily. Hence, the main challengecurrently faced by IDS technology is to be able to detect new forms ofattacks.

An intrusion is described as a violation of the security policy of thesystem. It is also described as any set of actions that attempt tocompromise the integrity, confidentiality, or availability of aresource.

There are three types of intrusion detection systems, anomaly intrusiondetection, misuse intrusion detection, and specification baseddetection. Anomaly detection refers to intrusions that can be detectedbased on anomalous activity and use of resources. Misuse detectionrefers to intrusions that follow well defined patterns of attack.Specification-based detection approaches consider that all well-behavedsystem executions shall conform precisely to programs specifications

Existing anomaly detection techniques attempt to establish normalactivity profile using statistical modeling. Statistical profile-baseddetection uses a set of metrics to compute some measurements of useractivity, and compares them against a set of values that characterizenormal user activity. Any discrepancy between the computed values andthe expected ones is considered an intrusion. Anomaly detectiontechniques to date rely upon a measured activity. These tend to be anactivity in response to an input and therefore rely very heavily uponthe constancy of the input. For example, the number of emails opened ina day may be measured. This, of course is highly dependent upon thenumber of emails received.

Anomaly detection techniques assume that all intrusive activities arenecessarily anomalous. This means that if we could establish a normalactivity profile for a system, we could, in theory, flag all systemstates varying from the established profile by statistically significantamounts as intrusion attempts. However, if we consider that the set ofintrusive activities only intersects the set of anomalous activitiesinstead of being exactly the same, we will find the followingpossibilities:

-   -   1. Anomalous activities that are not intrusive are flagged as        intrusive. (false positives); and    -   2. Intrusive activities that are not anomalous (false negatives)

False negatives are considered very dangerous, and are far more seriousthan the issue raised by false positives.

The main issues in existing anomaly detection systems are the selectionof threshold levels so that neither of the above two problems isunreasonably magnified, and the selection of available features tomonitor. The features should effectively discriminate between intrusiveand non intrusive behaviors. The existing anomaly detection systems arealso computationally expensive because of the overhead of keeping trackof, and possibly updating several system profile metrics.

The concept behind misuse detection schemes is that there are ways torepresent attacks in the form of a pattern or a signature so that evenvariations of the same attack can be detected. Misuse detection systemscan detect many or all known attack patterns, but they are of little usefor as yet unknown attack methods.

Specification-based intrusion detection consists of checking whether acertain execution sequence violates the specification of programs thatmay affect the system protection state. Specification-based detectionhas the potential to detect unknown attacks, however it is still in itsinfancy.

Existing intrusion detectors are characterized by significantly highfalse alarm rates. This is mainly a result of the low accuracy of theprofiles computed. For example, some anomaly detectors base users'profiles on metrics such as the average number of files opened or emailssent daily. It is easy to find several users sharing the same habits.Further, it is easy for any user to change his habits and adopts theusage pattern of other users!

Biometrics Systems:

Different types of biometrics identification systems are currentlyavailable in the market, and are widely used in various securityapplications. Biometrics can be classified into two categories,“physiological biometrics” and “behavioral biometrics”. Physiologicalbiometrics, including finger-scan, iris-scan, retina-scan, hand-scan,and facial-scan uses measurements from the human body. Behavioralbiometrics, such as signature or keystroke dynamics, uses measurementsbased on human actions. Published benchmark testing data for existingtechnologies shows that false rejection rates vary from 6% for facerecognition to 0.25% for iris scan, whereas false acceptance rates varyfrom 6% for face recognition to 0.0001% for iris scan. Behavioralbiometrics systems have experienced. less success when compared tophysiological systems because of variability in the measured parameterover time. However, either system provides improvements over thetraditional intrusion detection systems.

Traditional intrusion detection systems focus on the actions conductedby the user. Biometrics-based systems focus on the identity of the user,hence such systems are able to detect the type of intrusion where anattacker gains access to the resources and starts to perform normalnon-intrusive procedures, causing information leakage or any othervulnerabilities. Differences in usage pattern cannot be detected bytraditional intrusion detection systems if the attacker knows theoperation sequences and his access limits. Such an attack, however, canbe uncovered if the detection is based on biometrics information.

In recent years there has been increasing interest in biometricssystems. The Oxford dictionary definition of biometrics is “applicationof statistical analysis to biological data”. In the field of computersecurity, biometrics is defined as the automated use of a collection offactors describing human behavioral or physiological characteristics toestablish or verify a precise.

Biometrics systems operate in two modes, the enrollment mode and theverification/identification mode. In the first mode, biometrics data isacquired using a user interface or a capturing device, such as afingerprints scanner. Raw biometrics data is then processed to extractthe biometrics features representing the characteristics that can beused to distinguish between different users. This conversion processproduces a processed biometrics identification sample, that is stored ina database for future identification/verification needs. Enrolled datashould be free of noise and any other defects that can affect itscomparison to other samples. In the second mode, biometrics data iscaptured, processed and compared against the stored enrolled sample.According to the type of application, a verification or identificationprocess will be conducted on the processed sample.

The verification process conducts one-to-one matching by comparing theprocessed sample against the enrolled sample of the same user. Forexample, a user is authenticated at login by declaring his identity byentering his login name. He then confirms his identity by providing apassword and biometrics information, such as his signature, voicepassword, or fingerprint. To verify the identity, the system willcompare the user's biometrics data against his record in the database,resulting with a match or non-match. The identification process matchesthe processed sample against a large number of enrolled samples byconducting a 1 to N matching to identify the user resulting in anidentified user or a non-match.

Regardless of the biometrics system employed, the following metrics mustbe computed to determine the accuracy of the system:

-   -   1. False Acceptance Rate (FAR), the ratio between the number of        occurrences of accepting a non-authorized user compared to the        number of access trials.    -   2. False Rejection Rate (FRR), the ratio between the number of        false alarms caused by rejecting an authorized user compared to        the number of access trials.    -   3. Failure to Enroll (FTE), the ratio characterizing the number        of times the system is not able to enroll a user's biometrics        features; this failure is caused by poor quality samples during        enrollment mode.    -   4. Failure to Capture (FTC), the ratio characterizing the number        of times the system is not able to process the captured raw        biometrics data and extract features from it; this occurs when        the captured data does not contain sufficient information to be        processed.

FAR and FRR values can vary significantly depending on the sensitivityof the biometrics data comparison algorithm used in theverification/identification mode; FTE and FTC represent the sensitivityof the raw data processing module.

In order to tune the accuracy of the system to its optimum value, it isimportant to study the effect of each factor on the other. FIG. 1 showsthe relation between FAR and FRR f or a typical biometrics system. Ifthe system is designed to minimize FAR to make the system more secure,FRR will increase. On the other hand, if the system is designed todecrease FRR by increasing the tolerance to input variations and noise,FAR will increase. For the system indicated in FIG. 1, the point E whereFAR and FRR reach approximately low equal values, represents the optimumtuning for this system.

The utilization of biometrics technology has been limited to identityverification in authentication and access control systems. Hence,important security applications such as intrusion detection systems havebeen left out of this technology. There are two reasons for this. First,most biometrics systems require special hardware device for biometricsdata collection and this restricts their use to networks segments thatprovide them. This makes the systems irrelevant for a significant numberof remote users, who operate outside of these network segments. Second,most biometrics systems require active involvement of the user who isasked to provide data samples that can be used to verify h is id entity.This excludes the possibility of passive monitoring, which is essentialfor intrusion detection. There are also a number of secondary obstaclesto the use of biometrics for intrusion detection such as whether thetechnology allows dynamic monitoring, or real-time detection.

Keystroke Dynamic Biometrics:

A popular biometrics system that escapes some of the limitations ofbehavioral biometrics is keystroke dynamics biometrics. Keystrokedynamics doesn't require special hardware for data collection (a regularkeyboard is enough). Under certain circumstances it can be used fordynamic monitoring. The traditional keystroke technology, however,doesn't allow passive monitoring as the user is required to type apredefined word or set of words that is used to identify him. The dwelltime and the flight time for keyboard actions is then measured.Thereafter, a set of so-called digraphs, tri-graphs or n-graphs isconstructed and analyzed to produce a distinctive pattern. Userauthentication and classification are the most suitable applications forsuch technology.

Mouse Dynamic Biometrics:

Previous work on mouse dynamics have, so far, been limited to userinterface design improvement. Studies have been conducted to establishthe applicability of Fitts' law in predicting the duration of a movementto a target based on the size of the target and the distance from thestarting point to the target. According to Fitts' law, the mean movementtime for a movement with distance A to a target with width W is asfollows:

MT=a+b(log₂(2A/W)) where a and b are empirically determined parameters.

In experiments focused on graphical user interface design mouse cursormovements were measured to assess psychological responses in patients. Aspecific user interface was used to force the user to do specificmovements. The user was asked to move the mouse from specific pointapproaching a specific object located at a certain distance. The studytook into consideration the effect of movement direction and the objectsize. The study allowed the understanding of several user interfaceproperties related to the shape, size, location, and preferred angle ofapproach of the target object.

It is an objective of the invention to overcome the deficiencies of theprior art.

SUMMARY OF THE INVENTION

The present invention provides a system and methods for computer userprofiling based on behavioral biometrics. The approach consists ofestablishing distinctive profiles for computer users based on how theyuse a motion-based input device such as, but not limited to, a mouseand/or a keyboard. The profiles computed in the present invention aremore accurate than those obtained through the traditional statisticalprofiling techniques, since they are based on distinctive biologicalcharacteristics of users.

The present invention allows passive, dynamic, and real-time monitoringof users without the need for special hardware—it simply requires amotion-based input device, such as a standard computer mouse or keyboardfor data collection. Mouse and keystroke dynamics biometrics are tworelated technologies, that complement each other.

In one embodiment of the invention, a behavioral biometrics-based userverification system for use with a motion-based input device isprovided. The system comprises a data interception unit for receivinginputs from a user, a behavior analysis unit operatively coupled to thedata interception unit, and a behavior comparison unit operativelycoupled to the behavior analysis unit. The system translates behavioralbiometrics information into representative data, stores and comparesdifferent results, and outputs a user identity result.

In one aspect of the invention, the user verification is suitablyconfigured for dynamic monitoring.

In another aspect of the invention, the user verification is suitablyconfigured for passive data collection.

In another aspect of the invention, the user verification system issuitably configured for real-time monitoring.

In another aspect of the invention, the user verification furthercomprises secure communication protocols operatively coupled to the datainterception unit.

In another aspect of the invention, the user verification system thedata interception unit is configured to identify data from a mouse asone of movement, drag and drop, point and click, and silence, such thatin use, the system receives data from a mouse.

In another aspect of the invention, the user verification system thedata interception unit is further configured to characterize movementbased on at least one of average speed, average traveled distance, anddirection of movement.

In another embodiment of the invention, the data interception unit isconfigured to identify actions from a keyboard on the basis of dwelltime and flight time such that in use, the system receives data from akeyboard.

In another aspect of the invention, data interception unit is furtherconfigured to identify action from a mouse as one of movement, drag anddrop, point and click, and silence, such that in use, the systemreceives data from a mouse and from a keyboard.

In another aspect of the invention, the data interception unit isfurther configured to characterize mouse movement based on at least oneof average speed, average traveled distance, and direction of movement.

In another embodiment of the invention, a method of characterizing auser comprises the steps of moving a motion-based input device,collecting data from the device, processing the data, and modeling thedata using suitably selected algorithms to develop a signature for auser.

In one aspect of the invention, the method further comprises comparingthe signature with a signature of an authorized user.

In another aspect of the invention, the method further comprisesfiltering the data after processing and before modeling to reduce noise.

In another aspect of the invention, the method further comprisespassively collecting data.

In another aspect of the invention, the method further comprisescollecting, processing and modeling the data in real-time.

In another aspect of the invention, the method is further characterizedas moving a mouse, collecting data from the mouse, processing the data,and modeling the data using suitably selected algorithms to develop asignature for a user.

In another aspect of the invention, the collecting data furthercomprises characterizing movement based on at least one of averagespeed, average traveled distance, and direction of movement.

In another embodiment of the invention the method is furthercharacterized as using a keyboard, collecting data from the keyboard,processing the data, and modeling the data using suitably selectedalgorithms to develop a signature for a user.

In one aspect of the invention, the collecting data is further comprisescharacterizing movement based on flight time and dwell time.

In another aspect of the invention, the method further comprisescollecting data from a mouse, processing the data and modeling the datausing suitably selected algorithms to develop a signature for a userbased on both mouse and keyboard data.

In another aspect of the invention, the collecting data furthercomprises characterizing movement based on at least one of averagespeed, average traveled distance, and direction of movement.

LIST OF FIGURES

The invention will be better understood with reference to the followingfigures:

FIG. 1. Tuning the system for best accuracy by studying the relationbetween FAR and FRR.

FIG. 2: Detector architecture in accordance with an embodiment of theinvention.

FIG. 3. Mouse dynamics detector architecture in accordance with anembodiment of the invention.

FIG. 4. Example of data generated from the interception unit.

FIG. 5. Neural network used in the behavior modeling stage.

FIG. 6. The log-sigmoid transfer function.

FIG. 7. Determining the training stop point for curve approximationneural network.

FIG. 8. Mouse signature reproducibility.

FIG. 9. Comparing mouse signatures.

FIG. 10. Average speed for different movement directions.

FIG. 11. Histogram of the directions of movement.

FIG. 12. Average speed for different types of actions.

FIG. 13. Histogram of the types of actions.

FIG. 14. Comparing traveled distance histograms.

FIG. 15. Comparing elapsed time histograms.

FIG. 16. Implementation of the detection neural network.

FIG. 17. Neural Network used for behavior classification.

FIG. 18. Experiment hardware setup.

FIG. 19. Neural network training curve for the first user.

FIG. 20. Neural network model used in the detector.

FIG. 21. Tri-graph based analysis.

FIG. 22. Example on how to approximate unavailable digraphs.

DETAILED DESCRIPTION OF THE INVENTION

There a re two embodiments of the system of the present invention, asshown in FIG. 1. The first is keystroke dynamics and the second is mousedynamics. These both record movement related to the use of the articleunder normal conditions of operation.

Keystroke Dynamics:

This biometrics measures the dwell time (the length of time a key isheld down) and flight time (the time to move from one key to another)for keyboard actions. After these measurements are collected, thecollected actions are translated into a number of digraphs or tri-graphsand are then analyzed in order to produce a pattern. In access controlapplications the extracted group of digraphs and tri-graphs arepre-defined since the user is asked to enter a paragraph containingthem. In intrusion detection applications, however, this scenario is notapplicable. Detecting the behavior from an unexpected set of digraphsrequires large amounts of data to be collected in the enrollment mode soas to cover a higher percentage of the captured data in the verificationmode. Regardless of the application, an algorithm generates a KeystrokeDynamics Signature (KDS), which is used as a reference user profile. Toconstruct the KDS, we use a key oriented neural network based approach,where a neural network is trained for each keyboard key to best simulateits usage dynamics with reference to other keys. We also propose atechnique which can be used to approximate a tri-graph value based onother detected tri-graphs and the locations of the keys with referenceto each other, aiming to minimize the failure to compare ratio (FTC) andto speed up the user enrollment process.

Mouse Dynamics:

Selected mouse actions generated as a result of user interaction arecompared with a graphical user interface. The data obtained from theseactions are then processed in order to analyze the behavior of the user.Mouse actions include general mouse movement, drag and drop, point andclick, and silence (i.e. no movement). The behavioral analysis utilizesneural networks and statistical approaches to generate a number offactors from the captured set of actions; these factors are used toconstruct what is called a Mouse Dynamics Signature (MDS), a unique setof values characterizing the user's behavior over the monitoring period.Some of the factors consist of calculating the average speed against thetraveled distance, or calculating the average speed against the movementdirection. Presently up to seven factors that exhibit strong stabilityand uniqueness capability are reported, however, more may be considered.The detection algorithm calculates the significance of each factor withrespect to the other factors in the same signature, and with respect toits corresponding values in other users signatures. A neural network istrained for each enrolled user resulting different detection scheme tobe used for each of them.

Architecture:

FIG. 2 depicts the architecture of the detector. The detector isimplemented as client server software. The client module, which runs onthe monitored machine (e.g. potential victim), is responsible for mousemovement and keystroke data collection. These data are sent to theserver software, which runs on a separate machine. The server softwareis in charge of analyzing the data and computing a biometrics profile.The computed profile is then submitted to a behavior comparison unit,which checks it against the stored profiles

For remote users, the approach consists of either providing them withremote login software or extending secure remote login software such asSecurity Shell (SSH). The administrator then requires that users usethis particular remote login implementation for remote access.

It is common practice in most organizations that remote access beregulated by a defined and strict policy. In order to ensure that onlyusers abiding by this policy access the monitored network, thebiometrics detector is extended with a network traffic analyzer thatmonitors both attempted and established connections to the targetmachine. A connections list established by the traffic analyzer iscompared against the active users list maintained by the core biometricsdetector, and possible discrepancies are then reported as intrusions tothe security administrator. This applies even when the data collectionmodule is installed on the target machine.

If the network analyzer detects resource usage on the target machinewhile there is no biometrics data collected during a session, this willraise the possibility that corresponding network traffic is due to amalicious process, which is not being executed by a legitimate user. Onthe other hand, if the biometrics detector is able to monitor activitieson the target machine while the network analyzer failed to detect thenetwork traffic resulting from such activities, this will raise thepossibility that the attacker managed to modify the behavior of therunning application.

A key issue concerns the protection of the biometrics data collectedfrom forgery. To ensure that an intruder cannot intercept and modify thecollected data, secure communication protocols for client and serverinteractions are used. Forgery can still happen by observing thebiometrics generation process or by stealing biometrics samples. In theparticular case of mouse and keystroke dynamics forgery by, observationis extremely difficult to achieve. For each machine connected to theprotected domain the administrator may enforce the following policy: “ -There is NO rexec or telnet access to this machine. - There is NO rloginor rsh access to this machine from outside of DOMAIN_P. - FTP is NOTsecure and may be removed from this machine in the near future. - Toaccess this machine remotely, use Secure Shell protocol 2 (SSH2), SecureFTP (SFTP), and/or Secure Copy Protocol (SCP) - Bio Client Version 1.0should be running on the remote side in order to access the machineremotely. - Software available on this machine is listed at:http://Web_Domain/computing/software.shtml - Use of this facility mustadhere to: ‘Policy 6030: Organization Computing and TelecommunicationsUser Responsibilities’, http://Web_Domain/policies/pol6000/6030CTUR.htmlAND ‘Organization Standards for Professional Behavior’,http://Web_Domain/policy/professional-behaviour.html - Note that thismachine will usually be rebooted at the end of every month. Pleaseschedule your jobs accordingly. System Administrator: admin Apr 04 2004”

Mouse action can be classified as, for example, but not limited to, oneof the following categories:

1. Movement (General Movement)

2. Drag and Drop (the action starts with mouse button down, movement,then mouse button up)

3. Point & Click (mouse movement followed by a click or double click)

4. Silence (No Movement)

Different approaches are used in each category to collect the factorscharacterizing it. Some examples of the type of factors collected fromeach analysis are the following:

-   -   Calculating the average speed against the traveled distance.    -   Calculating the average speed against the movement direction        (eight directions are considered).    -   Calculating the average traveled distance for a specific period        of time with respect to different movement directions. From such        data we can build a usage pattern for the different directions.

For each factor, the reproducibility and discrimination capability isthen determined.

Data Acquisition and Processing

FIG. 3 shows a mouse dynamics detector system, generally referenced as10. The system 10 consists of three units: a Data Interception Unit 12,a Behavior Analysis Unit 14, and a Behavior Comparison Unit 16. Thedetector 10 translates biometrics information into representative data,stores and compares different results, and outputs the user identityverification result.

The Data Interception Unit 12 is responsible for transparentlyintercepting and converting all mouse movements and actions intomeaningful information. It continuously feeds the Behavior Analysis Unit14 with the processed data. The Behavior Analysis Unit 14 is responsiblefor analyzing the received data, identifying working sessions, andmodeling the data to produce the MDS. The functionality of the BehaviorAnalysis Unit 14 changes according to the operation mode. In theenrollment mode, it works on data from different sessions to produce thereference MDS for the user. In the verification/identification mode,this unit generates the MDS for the user during the detected session.

The Behavior Comparison Unit 16 is responsible for comparing thegenerated MDS to the reference MDS of the user. This unit maintains adatabase of all reference signatures calculated for all known systemusers. This database is used for the user identification/verificationpurpose. The Behavior Comparison Unit 16 uses specific comparisonalgorithms for different MDS factors. The output of the unit is a ratiorepresenting the difference between the detected behavior and thereference one. The higher this ratio is, the more confident the systemis that the signature is for the same user. Other security modules (e.g.intrusion detector) for different security needs can use this ratio as abiometrics suspicion ratio on the identity of the user.

The first step in the detector 10 is to monitor the mouse actions.Running a process in the background that hooks all mouse actionstransparently, without affecting the application receiving the actions,accomplishes this. The data collected are a list of actions, forexample, but not limited to mouse move event, left button down event, orleft button up event. Such events do not provide meaningful informationthat can be used in analyzing the behavior. Consequently, it is theresponsibility of the interception software to translate those eventsinto meaningful actions. For example, a set of actions that isconsidered to be a good input to the behavior analysis unit could berepresented by the following series of events, measured in milliseconds:

-   -   a mouse movement from a position to another position,    -   followed by a period of silence,    -   followed by another mouse move ended by a click or double click.

The interception software also detects the direction of movement foreach generated movement action. Eight movement directions are consideredin the data interception unit 12 software. The interception softwarewill continuously feed the behavior analysis unit 14 every time mouseactions are detected on the monitored workstation 18. An example of theproduced record contents is the type of action, the movement direction,the traveled distance, and the elapsed time in milliseconds. FIG. 4shows an example of the intercepted data. The x-axis represents thetraveled distance and the y-axis represents the movement speed. Eachpoint on this figure represents an intercepted mouse action. Forsimplicity of the example the effects of the type of action and movementdirection are ignored. Thus, this curve gives a general idea of how theuser mouse movement speed is affected by the distance traveled. The datainterception unit 12 deals directly with the mouse 20.

One of the parameters affecting the accuracy of this detector is thedesktop resolution. If the reference MDS has been calculated on aspecific resolution while the detection process has been done on adifferent resolution, this will affect the range of the data collectedand will be reflected on the results. Another parameter is the operatingsystem mouse pointer speed and acceleration settings. Any changes tothese settings can affect the calculated figures and also affect theuser behavior itself while dealing with the mouse input device. As anexample, if the mouse pointer speed is slow, the user will need morethan one action to move the pointer along a distance, whereas a singleaction at medium speed may be all that is required to move the samedistance. The mouse button configuration will also affect the detector10. In order to achieve reproducible results, variable factors should befixed for each user on a specific workstation 18.

Session Identification

As the behavior analysis unit 14 receives input from the datainterception unit 12, the data will be processed in batches. Each batchconsists of a number of monitored actions. A number of parameters areused in this process:

-   -   Session start is determined if an action is received for a        specific user, and there were no current sessions in effect for        this user.    -   Session end is determined if the current active session length        reached the maximum limit, or the number of recorded actions in        this session exceeded the maximum limit. This limit is        calculated based on several factors; it can be calculated per        user, depending on the average number of actions the user        produced in a period of time.

A session tag is associated with each session. This tag containsinformation on the session such as, but limited to, user name, machinename, Internet protocol address, start time/date, and end time/date.This module maintains a small database for the current recognizedsessions. In the enrollment mode, a number of sessions for the same userwill be stored in this database. These sessions will be used by thebehavior modeling stage to generate the user's reference behavior. Inthe verification/identification mode a recognized session will be keptin the database until it is processed by the behavior modeling stage.

After the collected data has been converted into sessions, the data arefiltered to decrease noise resulting from both human and machinesources. Thereafter, the behavior modeling module processes the batch ofactions to generate the MDS. For example, FIG. 4 shows the traveleddistance against movement speed data before the filtration process tookplace. Two filters were applied before sending the data to the behaviormodeling stage. The first filter restricted the input data to a specificrange, eliminating any data above or below that range, for examplerestricting the distance range from 25 pixels to 900 pixels. The secondfilter eliminated any reading on the y-axis that was determined to behighly deviant from the mean of its adjacent points.

Behavior Modeling

The output of the noise reduction stage was examined and compared to theoutput for different sessions for the same user in order to find apattern characterizing the graph. In order to automate the detectionprocess, however, the date were formalized. Various statistical analysispackages can be used to achieve this goal, according to thecharacteristic of the factor. In the present example of the traveleddistance against movement speed factor (see FIG. 4), a Neural Networkswas used to approximate the collected data to a curve that could be usedto identify the user behavior. One of the most common uses of neuralnetworks is function approximation. It was shown by Hecht-Nielsen thatfor any continuous mapping off with n inputs and m outputs, there mustexist a three layer neural network with an input layer of n nodes, ahidden layer with 2n+1 nodes, and an output layer with m nodes thatimplements f exactly [Hecht-Nielsen 1987]. According to those results,it was postulated that neural networks can approximate any function inthe real world. Hecht-Nielsen established that back propagation neuralnetwork is able to implement any function to any desired degree ofaccuracy [Hecht-Nielsen 1989].

A feed-forward multi-layer perceptrons (MLP) network was employed forthe neural network. MLP is one of the most popular networkarchitectures; it is widely used in various applications. The network isdepicted in FIG. 5 and consists of a number of nodes organized in alayered feed-forward topology. The feed-forward topology consists of aninput layer, an output layer and one hidden layer.

All connections between nodes were fed forward from inputs towardoutputs. The MLP network used a linear Post Synaptic Potential (PSP)function; the PSP function used was the weighted sum function. Thetransfer function used in this network was the log-sigmoid function. Thefunction generated outputs between 0 and 1 as the neuron's net inputwent from negative to positive infinity (see FIG. 6).

A linear transfer function was used for the input and output layers toallow the expected input and output range. For faster training, thenetwork wss initialized with the weights and biases of a similar networktrained for a straight line.

The output of the neural network was described by the followingequation:$y = {\left( {\sum\limits_{j = 1}^{N}{w_{2j} \cdot \frac{1}{1 + {\mathbb{e}}^{{({\sum\limits_{i = 1}^{N}{w_{ij} \cdot x}})} - b_{ij}}}}} \right) - b_{2}}$

Where w_(ij) and b_(ij) represent the weights and biases of the hiddenand output layers respectively, x is the input to the network, and Nrepresents the number of nodes in the hidden layer (which is set to N=5in our design).

The back propagation algorithm was used to train the network. The backpropagation algorithm searched for the minimum of the error function inweight space using the method of the gradient descent. The errorcriterion of the network was defined as follows:$E\quad = {\frac{1}{2}{\sum\limits_{i = 1}^{p}\left( {t_{i} - {y_{i}\left( {x_{i},w} \right)}} \right)^{2}}}$

Where w represents the network weights matrix and p is the number ofinput/output training pairs set. Weights were adjusted during thetraining trials until the combination of weights minimizing the errorcriterion were found. This set of weights was considered a solution forthe learning process. The back propagation learning rule, whichcalculates the weight increment, was described as follows:Δw_(ij)=η·δ_(j)·y_(i) where η is a trial independent learning rate, andδ_(j) is the error gradient at node j.

During the behavior modeling stage, the neural network was trained withfiltered collected data. Input vectors and their corresponding targetvectors were used. The back propagation-raining algorithm was used totrain a network until it could approximate a function describing thecollected data.

The training approach may involve the curve over-fitting problem. Inorder to avoid the over-fitting problem, first the right complexity ofthe network was selected. A network with a single hidden layercontaining five perceptrons was sufficient to produce a good result.Training of the network must be validated against an independenttraining set. At the beginning of the training, the training error andthe validation error decreased until it reached a point where thevalidation error started to increase. This point is the stop point(corresponds to point A in FIG. 7). The stop point is where the trainingshould stop to obtain the desired generalization.

After the network-training curve reached the stop point, the network wasfed with a test stream presenting the spectrum of the input data. Theresult was a curve approximation of the training data. This curve wasconsidered as a factor in the MDS for this user.

FIG. 8 shows examples of mouse signatures calculated for the same userover a number of sessions. Notice that the curves are very close andthat the deviation from their average is low. An approach forcalculating the reference mouse signature was to use the average from anumber of sessions as a reference. Large deviations between differentsessions would show that the training is not completed properly. Thisprovides an indication that there is need for tuning.

Determination of the proper detection session period is an importantfactor to consider. The aim is to minimize the detection session withoutaffecting the accuracy of the system.

After the generation of the mouse signature, which represents the userbehavior, an important concern is how to discriminate between usersbased on the generated information. The function of the BehaviorComparison Unit 16 is to compare the calculated factors (MouseSignature) against a reference signature for the same user.

FIG. 9 gives an example of the comparison process. The two curves inFIG. 9 a were for the same user. Notice that the two curves are close toeach other and that the difference between the curves is low. FIG. 9 bshows two curves for two different users. The difference between thecurves is high, which indicates a high difference in the behaviors and ahigh possibility that they belong to two different users.

The comparison technique used for this factor was to calculate the sumof the absolute difference between the curves. If the result is higherthan a threshold, then those curves belong to two different users. Thethreshold can be determined for each user during the enrollment phase,when the reference mouse signature is generated.

Movement Speed compared to Traveled Distance (denoted MSD) factor hadstrong discriminating and reproducibility capability. Consequently, theMDS could be based on this factor, however basing the MDS on thecombination of several of these factors tends to yield betterperformance.

The analysis of the impact of the direction of movement (MDH) involvedtwo kinds of studies. First, studying the relation between the directionof movement and the movement speed (denoted as MDA). Second, studyingthe population of actions with respect to the movement direction,measured by calculating the percentage of actions in each of therecognized eight directions of movements compared to the total number ofactions in a session.

FIG. 10 shows the distribution of average movement speed against thedirection of movement for two different users. Solid lines represent anumber of sessions for the first user. Dotted lines represent the seconduser's sessions. Notice that horizontal movements (directions 2,3, 6,and 7) were performed with higher speed than vertical movements(directions 1,8,4, and 5).

FIG. 11 shows the histograms of the performed actions in each direction.Notice that some directions gained more actions than others.Furthermore, there was usually a direction that consumed more actionsthan all other directions. The figure shows the distribution for twodifferent users: user 2 performed more actions in the 3^(rd) direction,while user 1's actions dominated more in the 4^(th) direction. Theratios between curve points were approximately constant for each user,indicating high reproducibility for this factor.

MDA and MDH factors were each represented by eight numbers to be addedto the user's signature. The amplitude of those numbers, and the ratiobetween them produced meaningful information toward behavioral useridentification.

Type of action analysis is based on the fact that the type of action theuser is performing affects his behavior. Three types of movements wereconsidered: point and click (PC), drag and drop (DD), and regular mousemovement (MM). Similar to the direction of movement study, the type ofaction was studied with respect to the movement speed (denoted ATA) andthe distribution of the performed actions over the three types ofactions (denoted ATH). FIG. 12 shows the relation between the movementspeed and the type of performed action for the three recognized types ofactions. Two components were extracted from the curve: the range of eachtype of action, and the ratio between the entries. It is possible torely on this factor for identification if the ratio between the entriesis constant. For example, the speed of movement for user 2 in FIG. 12,was at its lowest level for the point and click type of action comparedto other types of actions.

FIG. 13 shows the histogram of the types of actions for a number ofsessions for two different users. Behavior differences were easilydetected for the two users and values and ratios between entries wereeasily identified. The following facts were extracted from the curves:

-   -   User 1 performed a very low number of regular mouse movements        and depended mostly on point click and drag drop types.    -   User 2 performed a very high number of regular mouse movements,        and a very low number of point and click actions.

The reproducibility of this factor was high. Additionally, it wasrelatively unique to the user. The information extracted from theanalysis was very helpful for the detection module to differentiatebetween the behavior of users.

The histogram of the traveled distance (denoted TDH) illustrates how theuser performed actions. The number of actions performed with shortdistances was higher than those performed with long distances.

The distribution of the distances differed from one user to another.FIG. 14 shows a comparison between two users: user 2 depended more onshort distances for performing actions. As the probability of occurrenceof large distances is usually low (below 15%), it is possible to dependonly on the first two points of the curve to represent thischaracteristic. The reproducibility of this factor was found to be high,while its uniqueness was considered average.

The elapsed time is the time used to perform an action. It depends onthe type of the performed action. The study of movement elapsed timehistograms (denoted MTH) illustrates how a user's speed varies when heis performing some actions. FIG. 15 shows the time distribution for twousers; the measurement unit used was 0.25 second. The curve shows thedistribution for actions performed in 8 seconds and less, with a 0.5second interval between curve points. From this figure we concluded thatthe reproducibility of this factor was good. In fact, the first twopoints of the curve provided significant behavioral information.

For example:

-   -   For user 1, the first point in the curve (0-0.5 second)        represented around 34% of the total number of actions.    -   The maximum population for user 1 happened in the first point on        the curve, while the maximum for the second user happened in the        second point (0.5-1.0 second).

The results indicated that the first 3 points of the curve could be usedto represent this factor in the user global signature (e.g. MDS).

By studying the data collected from the experiment and analyzing theirstatistical characteristics, the following observations were made:

-   -   1. The reproducibility of each factor of the mouse signature        varied, depending on the user and the type of factor. Factors        with higher reproducibility gained more weight in the detection        process.    -   2. It was noticed that for some users, some factors had a        stronger discrimination capability than for other users. The        uniqueness factors with higher reproducibility gained more        weight in the detection process.

In order to utilize the observations, the detection technique assignedthe proper level of significance to each factor according to itsreproducibility and its uniqueness. The reproducibility of a factor weredetected by analyzing more sessions for the user, while the uniquenesscharacteristics was detected by including a larger number of otherusers' sessions in the comparison process. In other words, the detectionalgorithm was able to build an identification pattern for each user andutilize all detectable unique characteristics to discriminateefficiently between different behaviors.

The detection approach adopted in this document consisted of usingneural networks to detect differences between behaviors. Similar neuralnetworks approaches have been used successfully in different recognitionapplications, such as face recognition and signature recognition.

The approach consisted of conducting a different neural network trainingon a per user profile basis. FIG. 16 illustrates how the detectionprocess is implemented in both the enrollment and detection modes ofoperation. In order to enroll a new user, training data was preparedfrom previously recorded sessions stored in the behavior modeling unitdatabase (see FIG. 3). Second, a neural network was trained and thestatus of the trained network was stored in the signatures databaseassociated with the behavior detection unit.

In the detection mode, the behavior detection unit loaded the legitimateuser's stored neural network status. The saved status was then appliedto the network, and the monitored behavior resulting from sessionanalysis was applied to the neural network. The output of the networkwas the confidence ratio, a percentage number representing the degree ofsimilarity of the two behaviors.

The neural network used in the detection process (see FIG. 17) was afeed-forward MLP network consisting of three layers. The input layerconsisted of 39 nodes, which is the total number of inputs representingthe factors involved in the MDS. The hidden and output layers consistedrespectively of 40 and one nodes. The expected output range was from 0to 100. Table 2 shows the description of the inputs to the network,which consisted of a set of numbers describing the MDS. TABLE 2 Examplesof Factors involved in a Mouse Signature Factor Description Inputs MSDMovement Speed compared to Traveled Distance 12 MDA Average MovementSpeed per Direction of Movement 8 MDH Direction of Movement histogram 8ATA Average Movement Speed for Action Types 3 ATH Type of ActionHistogram 3 TDH Traveled Distance Histogram 2 MTH Movement Elapsed TimeHistogram 3

The transfer function of the neural network was a Log-Sigmoid function.The output of the network can be defined as follows:$y = {\left( {\sum\limits_{j = 1}^{N}{w_{2j} \cdot \frac{1}{1 + {\mathbb{e}}^{{({\sum\limits_{i = 1}^{N - 1}{w_{ij}x_{i}}})} - b_{1j}}}}} \right) - b_{2}}$

Where x_(i)s represent the inputs to the network, and w_(ij), b_(ij),and N as defined previously. N-1 represents the number of nodes in theinput layer. The back propagation algorithm was used to train thenetwork. The data prepared for network training was designed as follows:

-   -   1. Positive training: data collected from 5 sessions for the        user trained for an output of 100, meaning 100% confidence in        identity.    -   2. Negative training: data collected from other users based on 5        sessions per user with an output of 0, meaning 0% confidence in        identity.

FIG. 19 shows the training curve for one of the users; the error levelis set to be 0.001. The results indicate that the network was able todetect a pattern specified only for the user to differentiate hisbehavior from others.

EXAMPLE 1

Experiments involving 22 participants were conducted over 9 weeks.Participants installed the client software and used their machine fortheir routine activities. Mouse and keystroke data were collectedtransparently and sent to a central server. At the end of the datacollection phase, we used the collected data to conduct an offlineevaluation of our detection system. To do so, we divided theparticipants into 2 groups: a group of 10 representing authorized usersand a group of 12 representing unauthorized users. We computed areference signature for each member of the first group using some oftheir own sessions. For each legal user we used the sessions belongingto the other users (authorized and unauthorized) to conduct somemasquerade attacks on their reference signature. This resulted in afalse acceptance rate of 0.651%.

To evaluate the false positives, for each legal user we compared theirown remaining sessions (not involved in the computation of the referencesignature) against their reference signature. This resulted in a falserejection rate of 1.312%.

FIG. 18 shows the hardware setup of the experiment. Client software(responsible for monitoring mouse actions) feeds a detection server(software) with the monitored data. The client software, which runs as abackground job, starts monitoring user actions when the user loginoccurs, and stops running when the user logout occurs; the software istotally transparent and does not affect any other application.

The detection server was installed on a local area network and acceptedconnections from local workstations and from outside the network overthe Internet to allow remote users to participate in the experiment. Alarge number of participants were connected remotely to the network fromtheir home computers or from different countries or cities. The serversoftware stored the collected data in an internal database, along withthe session information containing the user ID and other information.

The hardware configurations of the participating computers varied fromP2 266 MHz to P4 1.5 MHz. The server configuration was a P3 450 MHz with256 MB Ram, running the Windows 2000 operating system. The clientworkstations ran different versions of Microsoft Windows operatingsystem (Windows 98SE, Windows ME, Windows 2000, and Windows XP).

Data were collected over a number of 998 sessions on an average of about45 sessions per user. We started the experiment with a maximum detectionperiod of 20 minutes for the 1^(st) week, followed by 15 minutessessions for the rest of the experiment duration. The entire experimentlasted 9 weeks. The number of recorded actions in a session directlyaffects the training of the neural network. We set the maximum number ofactions in a session to 2000. If the number of actions exceeded thislimit, another session was created and the newly recorded action wouldbe registered in the new session.

After examining the recorded session data for different users, wenoticed that some of the users produce much more actions in their activesessions than others. Identifying such users is much easier than thosewho generate a lower number of actions.

For the enrollment process, the first five sessions were used to developthe reference signature. We then found that data collected from fivesessions was enough to develop the reference MDS for most of the users.To do this, we average the resulting signatures for the five sessions toconstruct the reference signature, which is then used in theidentification/verification mode.

To simulate real life in our experiment, we randomly divided theparticipating users into two groups: insiders group (10 users/405sessions) and outsiders group (12 users/593 sessions). A referencesignature was calculated for each user in the first group and stored inthe database. Sessions of the outsiders' group were used to simulate anattack where the attacker signature was not recorded in the database,thereby testing the ability of the detection algorithm to target suchsituations. We conducted the analysis of the experiment results in twosteps, each addressing one of the two hypotheses that have beenformulated at the beginning of this section.

The first part of the analysis was to prove that there was a detectabledifference between a user's signature and all other users' signatures inboth the in siders' and outsiders' groups. We confirmed this by applyingthe behavior comparison algorithm to sessions collected from differentusers against a reference signature of a given user. FAR was calculatedby conducting this test for all available reference signatures of allthe users in the insiders' group. False acceptance was established ifthe resulted confidence ratio was over 50%. Fifty sessions out of the405 sessions of the insider group were dedicated for computing referencesignatures for the 10 members (5 sessions per user). For each member inthe insider group the remaining insiders' sessions minus his ownsessions were used to conduct insider attacks against him, whichcorresponds to a total of 3195 (=355×10−355) insider attacks. For eachuser in the insider group, the totality of sessions in the outsidergroup was used to simulate outsider attacks, which corresponds to atotal of 5930 (=593×10) outsider attacks. Hence, 9125 (=5930+3195)masquerade attacks against the insider group were simulated.Masqueraders are (malicious) users impersonating different (legitimate)users [Anderson 1980].

To illustrate the detection process, Table 3 shows a sample trainingdata for five different users. The sample data consists of four factorscovering five sessions per user. The output shown was set to train thenetwork for the first user. FIG. 19 shows the training curve for thefirst user, indicating its ability to differentiate between this userand others. To simulate the FAR calculation process, Table 3 shows theconfidence ratio for all the included sessions after the network hasbeen trained for the first user. Table 4 shows signatures for oneinsider (User 5) and two outsiders masquerading as User 1. The insiderssignatures shown are different from those used in the network training;the corresponding confidence ratio is also shown in the figure. Afterrunning all the comparisons, we computed the false acceptance rate asfollows: ${FAR} = \frac{n_{fa}}{N_{fa}}$where n_(fa) was the number of false acceptance and N_(fa) the totalnumber of tests. At 50% threshold, we obtained in our experimentFAR=0.00651, for N_(fa)=9125 attacks attempts.

An analysis of legal connections was conducted only on the insiders'group, in which all reference signatures were already calculated for allthe group members. The sessions of each member of the insider group,which were not involved in the calculation of the reference signature,were applied to the detection algorithm. A total of 355 (=405-50) legalconnections were simulated for the whole group. A false rejection wasestablished if the confidence ratio was below 50%. Table 5 gives an ideaof the FRR calculation process. The figure shows a sample signature for15 sessions for the same user (user 1), and the confidence ratioscomputed using his trained neural network. TABLE 3 Training data forfive different users MDH ATH User 1 8.51 16.24 11.93 6.84 11.742 21.7211.35 11.35 48.33 27.78 23.67 8.93 15.23 11.20 11.03 14.01 21.71 6.3011.38 51.13 34.32 14.36 11.82 13.34 9.98 4.89 14.69 20.43 9.96 14.6951.52 42.23 6.081 9.02 12.5 9.37 10.76 11.80 21.52 8.50 16.31 52.9535.41 11.45 8.98 14.23 9.68 8.61 19.33 21.61 7.029 10.36 50.08 35.3214.41 User 2 7.74 11.26 13.61 6.10 12.91 16.19 12.67 19.24 38.02 0.9360.79 14.28 11.22 6.68 10.45 12.75 16.83 13.01 14.28 34.69 1.02 64.0316.1 12.74 9.37 9.61 12.74 14.42 14.90 9.85 31.01 3.84 64.90 15.36 10.4810 8.53 13.41 14.39 15.38 12.19 34.63 5.85 59.26 17.81 12.82 12.11 9.978.31 19.47 9.50 9.73 45.84 6.17 47.74 User 3 10.30 14.52 7.02 9.60 13.8121.31 13.11 10.07 47.77 19.43 32.55 14.03 11.35 8.90 13.58 14.69 14.6911.13 11.35 42.53 20.93 38.30 11.34 12.03 8.33 14.12 14.81 19.44 8.7910.88 39.35 18.05 42.36 10.76 9.23 12.30 10.51 15.64 12.82 14.3 14.1042.05 19.74 37.94 12.11 9.79 10.05 13.14 14.94 15.20 9.27 15.20 39.6914.43 45.61 User 4 15.68 5.30 8.19 22.16 20 13.97 3.85 10.6 24.09 13.9761.68 14.67 10.09 9.63 10.09 23.85 15.82 7.56 8.02 28.60 10.32 62.8415.42 4.47 10.69 16.91 23.38 12.18 5.72 10.94 22.68 12.68 64.17 17.099.60 8.19 13.81 21.07 10.77 7.02 12.17 21.54 14.28 63.93 12.34 10.6112.09 15.30 21.48 12.09 8.88 6.913 29.83 11.60 58.51 User 5 11.84 7.6310.52 11.84 13.94 15 11.57 17.36 44.47 16.05 39.21 15.01 6.77 9.44 11.1318.64 12.10 11.13 15.49 33.41 13.55 52.78 10.61 10.34 11.40 10.87 15.6520.15 10.08 10.61 38.72 17.77 43.23 11.80 12.04 8.19 8.91 18.79 17.5910.12 12.29 38.62 13.25 49.88 11.16 8.25 8.73 12.13 22.08 16.99 7.5212.86 28.15 10.19 61.40 NN CR ATA MSD Output After User 1 171.2 33.26111.54 16.63 16.16 15.01 12.18 6.39 100 99.996 90.90 21.89 54.53 25.4319.01 15.84 12.42 8.22 100 100 122.28 24.99 73.11 29.93 15.18 14.6011.94 5.51 100 100 103.51 23.41 77.87 29.19 18 15.21 11.57 5.97 100 100146.19 38.96 93.46 21.22 17.77 14.72 10.83 5.93 100 100 User 2 198.32234 209.37 19.75 18.19 15.31 9.50 8.06 0 0.0207 170.26 252 184.41 20.4419.02 15.91 11.94 8.12 0 0.0208 261.12 244.7 181.57 18.17 15.72 13.4611.26 9.01 0 0 239.63 86.33 202.95 18.34 14.60 13.20 10.16 7.13 0 0225.78 64.76 235.32 15.70 13.53 11.57 9.56 7.19 0 0 User 3 177.51 134.292.11 18.04 17.41 15.94 13.10 10.34 0 0.0207 192.75 72.04 111.8 16.7718.24 15.38 11.95 12.15 0 0.0207 180.24 102.72 100.07 20.57 18.79 16.4213.31 11.87 0 0.0207 207.22 83.16 137.89 17.72 17.06 15.55 12.56 7.05 00.0208 194.16 57.07 113.47 20.80 18.25 15.91 13.78 9.22 0 0 User 4176.04 57.3 82.56 18.25 17.64 17.08 16.56 16.05 0 0 160.24 138.31 80.5522.65 19.81 18.11 15.00 14.16 0 0 152.7 103.22 90.82 19.55 19.55 19.5514.15 12.20 0 0.0210 130.78 64.39 101.54 20.17 20.14 20.1 17.48 12.16 00 178.7 35.31 90.12 25.76 18.46 16.33 15.26 10.65 0 0 User 5 245.73148.45 187.92 17.91 16.78 13.42 12.70 8.71 0 0 253.65 158.71 132.9517.55 15.60 13.17 11.53 10.83 0 0.0193 267.37 148.9 165.94 16.72 15.7313.27 11.82 8.82 0 0 156.89 161.6 85.64 18.66 18.26 15.41 12.16 8.21 0 0229.66 192.76 134.6 18.55 16.71 14.14 12.74 8.08 0 0

TABLE 4 Simulated Attack: One Insider and Two Outsiders Masquerading asUser1 MDH ATH Insider 12.17 8.59 9.30 15.03 15.75 13.60 11.69 13.6030.07 13.12 56.56 User 5 12.02 10.48 9.71 10.48 13.81 24.55 7.92 10.7436.31 14.83 48.59 13.84 9.74 6.66 9.74 20 14.87 10.51 14.35 32.30 14.6152.62 10.62 8.99 8.17 10.08 24.25 12.26 10.08 15.25 47.41 19.07 33.247.12 9.58 10.68 10.95 20.27 13.42 11.23 16.43 41.09 19.17 39.45 Outsider13.45 7.64 17.73 13.45 10.39 16.51 10.70 9.78 7.33 2.44 89.90 2 9.0210.6 17.76 9.28 8.74 14.75 16.68 12.84 13.66 3.55 82.51 12.53 9.11 7.1221.08 13.67 10.25 12.25 13.67 16.51 9.11 72.08 13.05 5.55 12.22 15 13.0513.88 13.61 13.3 13.61 6.66 79.44 9.39 8.18 10.90 16.06 11.51 14.5415.15 13.93 22.72 11.81 65.15 Outsider 15.71 13.68 5.69 7.28 15.26 15.2810.251 16.62 43.96 12.07 43.73 1 20.58 13.42 7.60 9.17 16.55 9.61 7.8314.98 39.15 9.172 51.45 14.70 14.95 7.35 9.31 12.74 17.64 8.33 14.7032.84 8.33 58.57 18.22 14.80 8.65 7.51 10.02 15.94 13.66 10.93 41.2314.80 43.73 15.72 14.78 9.15 11.73 5.86 17.37 11.26 13.85 44.13 11.5044.13 ATA MSD CR Insider 222.06 169.6 117.15 18.14 15.99 14.16 12.7110.07 8.72E−07 User 5 235.18 177.03 119.68 18.18 15.17 14.06 13.78 106.54E−09 237.3 156.07 107.51 18.46 17.77 14.49 13.05 10.30 8.13E−10216.92 115.37 138.49 17.70 14.64 14.62 10.83 8.45 1.06E−06 225.57 66.11154.72 16.43 13.72 16.02 12.40 9.95 4.11E−07 Outsider 272.83 127 110.8219.10 18.95 17.01 14.56 11.30 1.43E−05 2 150.32 69.846 107.05 22.8820.35 17.68 15.49 12.83 1.39E−05 203.2 58.125 83.02 21.60 20.26 18.2415.21 10.72 1.43E−05 202.69 105.83 92.629 20.74 17.83 16.09 15.01 10.621.43E−05 174.61 87.282 105.58 22.69 22.69 16.75 16.75 12.5 1.39E−05Outsider 208.46 123.09 120.27 19.27 18.31 15.25 12.05 10.02 3.77E−05 1200.34 77.17 101.11 24.10 18.11 15.77 10.82 7.018 0.17948   206.54 68.58106.09 23.02 18.90 14.37 13.62 9.14 5.03E−07 223.78 109.17 127.88 17.2416.38 15 12.7 9.03 1.13E−06 233.79 133.55 129.19 20.05 18.70 16.53 14.5210.05 0.01187  

TABLE 5 FRR Calculation for User 1 MDH ATH 11.40 9.56 11.57 10.90 15.4320.30 10.23 10.40 50.50 45.30 4.02 11.57 11.40 13.75 11.57 12.91 17.618.72 12.24 50 44.46 5.36 10.99 17.59 9.13 8.79 12.18 21.65 7.27 12.1848.73 43.99 7.10 12.88 14.40 11.32 7.71 13.89 21.26 7.20 11.14 50.638.59 10.63 11.32 10.79 12.38 7.96 14.51 20.70 10.97 11.15 48.31 36.6314.86 12.92 8.16 17.51 10.88 13.77 16.15 9.88 10.54 51.53 39.79 8.507.87 10.78 6.39 6.16 12.84 26.37 10.78 16.61 48.97 39.04 11.81 13.6810.68 6.67 6.17 12.52 29.71 5.50 14.85 49.08 47.74 3.01 12.79 15.32 8.588.82 16.33 17.84 6.58 11.44 50.16 43.77 5.89 12 9.833 11.5 7.83 11.522.66 8.5 16 49.16 48.83 1.83 12.70 10.38 8.86 5.51 16.22 20.06 8.8817.22 50.83 47.49 1.50 8.48 12.31 10.48 6.98 9.81 29.61 4.99 17.13 48.4149.58 1.83 10.41 15.79 8.85 8.85 13.88 21.18 8.50 12.32 50.69 40.97 8.1512 10.33 10.33 9.68 13.66 21.33 6.83 15.65 50.33 46.66 2.83 10.2 11.8411.11 9.47 14.39 19.85 8.74 14.20 47.17 30.60 22.04 11.40 9.58 11.5710.90 15.43 20.30 10.23 10.40 50.50 45.30 4.02 11.57 11.40 13.75 11.5712.91 17.61 8.72 12.24 50 44.48 5.36 10.99 17.59 9.13 8.79 12.18 21.657.27 12.18 48.73 43.99 7.10 12.86 14.40 11.32 7.71 13.89 21.26 7.2011.14 50.8 38.59 10.63 11.32 10.79 12.38 7.96 14.51 20.70 10.97 11.1548.31 36.63 14.86 12.92 8.16 17.51 10.88 13.77 16.15 9.88 10.54 51.5339.79 8.50 7.87 10.78 8.39 6.16 12.84 26.37 10.78 16.61 48.97 39.0411.81 13.68 10.68 8.67 6.17 12.52 29.71 5.50 14.85 49.08 47.74 3.0112.79 15.32 8.58 8.92 16.33 17.84 8.58 11.44 50.16 43.77 5.89 12 9.83311.5 7.83 11.5 22.68 8.5 16 49.16 48.83 1.83 12.70 10.36 8.86 5.51 16.2220.06 8.88 17.22 50.83 47.49 1.50 8.48 12.31 10.48 6.98 9.81 29.61 4.9917.13 48.41 49.58 1.83 10.41 15.79 8.85 8.85 13.88 21.18 8.50 12.3250.69 40.97 8.15 12 10.33 10.33 9.68 13.66 21.33 6.83 15.68 50.33 48.682.83 10.2 11.84 11.11 9.47 14.39 19.85 8.74 14.20 47.17 30.60 22.04 ATAMSD CR 105.54 32.22 72.33 24.46 20.10 15.64 9.56 5.61 100 104.94 37.7854.12 23.21 16.18 14.58 10.02 5.44 100 77.69 25.87 71.42 27.20 24.0519.28 12.88 5.50 97.19 102.64 24.99 91.80 32.15 19.35 13.07 10.21 6.08100 122.61 32.13 83.38 28.14 20.97 15.69 10.92 7.00 100 82.79 27.9837.44 17.89 17.85 16.64 12.38 6.68 97.19 90.32 19.03 60.05 27.12 22.0117.07 12.38 8.95 97.19 57.88 24.35 30.88 25.01 13.61 12.92 10.73 5.4497.19 113.93 28.92 49.6 24.07 24.04 11.26 11.20 5.65 100 73.85 26.5850.18 16.55 16.55 9.28 8.46 5.11 97.19 76.65 31.83 7.55 12.38 12.1911.68 9.92 5.25 97.19 48.50 25.93 6.18 18.37 18.27 17.97 10.24 4.6597.19 97.65 32.16 67.23 14.97 15.29 14.94 11.76 6.93 100 71.68 27.0523.76 33.88 21.76 11.84 9.32 5.31 97.19 121.98 35.47 93.55 19.22 19.2314.18 12.53 5.61 100 105.54 32.22 72.33 24.48 20.10 15.64 9.56 5.61 100104.94 37.78 54.12 23.21 16.18 14.58 10.02 5.44 100 77.69 25.87 71.4227.20 24.05 19.28 12.88 5.50 97.19 102.64 24.99 91.80 32.15 19.35 13.0710.21 6.08 100 122.61 32.13 83.38 28.14 20.97 15.69 10.92 7.00 100 82.7927.98 37.44 17.89 17.95 16.64 12.38 6.68 97.19 90.32 19.03 60.05 27.1222.01 17.07 12.38 8.95 97.19 57.88 24.35 30.88 25.01 13.61 12.92 10.735.44 97.19 113.93 28.92 49.6 24.07 24.04 11.26 11.20 5.65 100 73.8526.58 50.18 16.55 16.55 9.28 8.46 5.11 97.19 76.65 31.83 7.55 12.3812.19 11.68 9.92 5.25 97.19 48.50 25.93 6.18 18.37 18.27 17.97 10.244.55 97.19 97.65 32.16 67.23 14.97 15.29 14.94 11.76 6.93 100 71.6827.05 23.76 33.98 21.76 11.84 9.32 5.31 97.19 121.98 35.47 93.55 19.2219.23 14.18 12.53 5.61 100

In the experiment described above, we gave total freedom to theparticipants about which operating environments to use. As aconsequence, data were collected using a variety of hardware andsoftware systems. Questions remained about the impact of these variableson the results obtained. For example, what if the perceived differencebetween the MDS of two different users was simply due to the fact theywere using different software applications?

In order to answer these questions, we conducted a small experimentwhere seven different users were asked to perform the same set ofactions using the same machine. More specifically, we developed a fixeduser interface for the experiment where each user is asked to perform aspecific action between two rectangles. The process was repeated 100times per user session. In each round the program forces the user toperform the action in a specific direction by changing the position ofboth rectangles; the distances between the boxes are equal. The softwarerecords the time the user consumes to perform the action. Allenvironment variables were fixed in this experiment.

The first null hypothesis we wanted to prove is that for a mousesignature factor if all other environment variables are fixed thensimilar user behavior is observed. Table 6 shows seven differentsessions for the same user performing drag and drop in the eightrecognized directions. The time shown is the average time required toperform the action in milliseconds. In order to emphasize on thesimilarity of the readings we calculate chi-square for the recordedsessions. We use the 1^(st) session as the expected frequency in thechi-square test. Since we were comparing 8 proportions the number ofdegrees of freedom is 7; for this number we have χ_(0.01) ²=18.475. Fromtable 6 we noticed that most of the calculated values are lower thanthis value (only one result is slightly above the limit), which meansthat the first null hypothesis is true. TABLE 6 Comparing drag-dropsessions for the same user 1 2 3 4 5 6 7 8 Avg. χ² 115.79 98.33 79.01116.41 96.52 84.41 103.56 86.62 112.47 0 105.35 95.71 65.92 101.8 101.6374.12 94.66 80.87 103.59 7.68 100.93 88.92 72.50 111.5 101 83.92 93.279.14 104.52 5.44 126.04 104.28 76.68 125.11 113.35 119.64 111.93 92.41123.71 20.68 119 99.44 72.97 123.33 104.58 95.80 98.70 95.89 115.13 4.4107.87 84.01 75.63 116.62 104 80.89 105.43 82.67 108.96 3.71 121.8 93.9682.18 121.33 108.52 89.01 128.47 83.83 120.33 8.66

The second null hypothesis we wanted to prove is that there isdetectable difference between different users, which does not depend onother environment variables like hardware and software configuration.Table 7 shows seven sessions for seven different users; we use the1^(st) user session as the expected frequency. Chi Square is calculatedfor the other six users. The results shown indicate significantdifferences in the compared frequencies proving the second nullhypothesis. TABLE 7 Drag-drop sessions for seven different users User 12 3 4 5 6 7 8 Avg. χ² User 1 106.81 137.58 77.09 128.62 110.87 121.69146.6 74.48 127.13 0 User 2 105.35 95.71 65.92 101.8 101.63 74.12 94.6680.87 103.59 58.28 User 3 95.76 89.28 65.15 103 97.23 82.14 122.52 73.74104.23 43.54 User 4 187.7 142.32 137.76 212.5 196.87 148.92 208.87153.75 200.16 347.49 User 5 91.31 138.87 90.71 135 81.28 85.61 84.4667.14 108.54 60.64 User 6 122 95.44 83.65 117.62 120.06 88.74 145.06115.40 127.9 48.74 User 7 100.73 84.76 63.84 107.44 112.83 88.17 108.8873.80 105.99 45.36Keystroke Dynamics

Table 8 shows a combination of tri-graphs generated from three sessionsfor two different users, and the corresponding time used to perform thetri-graphs in milliseconds. The tri-graphs shown are centered by thecharacter ‘a’ (ASCII code 65). From the table we can notice thesimilarity between the response time for the first user's sessions, wecan also notice obvious difference in behavior between the two userswhich can easily be detected for some of the tri-graphs (marked inbold). TABLE 8 Time used to perform different tri-graphs for twodifferent users Tri-graph User 1 User 1 ASCII Code Session 1 Session 2User 2 87-65-68 86 85 73 83-65-89 83 82 69 77-65-78 76 70 60 70-65-69134 112 62 82-65-72 122 92 80 77-65-78 74 76 68 87-65-68 80 81 7183-65-89 71 75 111 83-65-76 62 62 59 83-65-76 67 64 63 76-65-77 143 20556

In access control applications the extracted group of digraphs andtri-graphs are pre-defined since the user is asked to enter a paragraphcontaining them. In intrusion detection applications, however, thisscenario is not applicable.

Detecting the behavior from an unexpected set of digraphs requires largeamount of data to be collected in the enrollment mode so as to cover ahigher percentage of the captured data in the verification mode.

Our goal was to design a detection algorithm that generates a KeystrokeDynamics Signature or KDS, which could be used as a reference userprofile and matched against active user profiles to dynamically detectmasqueraders.

We propose two different approaches to construct the KDS, a digraphbased approach which utilizes a single neural network per user, and akey oriented neural network based approach, where a neural network istrained for each keyboard key to best simulate its usage dynamics withreference to other keys. We also propose a technique which can be usedto approximate a tri-graph value based on other detected tri-graphs andthe locations of the keys with reference to each other, aiming tominimize the failure to compare ratio (FTC) and to speed up the userenrollment process.

The first approach we propose is a digraph based analysis approach. Theapproach utilizes a neural network to simulate the user behavior basedon the detected digraphs. The neural network (FIG. 20) used for thisapproach is a feed forward multi layer perceptron network. The trainingalgorithm is back propagation. The network consists of four layers,input layer, two hidden layers, and a single node output layer.

The input layer consists of N number of nodes where N=2×Number ofMonitored Keyboard keys. Input to the nodes is binary 0 or 1, as eachnode in the input layer represents a key. The 1^(st) N nodes representsthe key where the action is started at, and the 2^(nd) N nodes representthe key where the action ends. Each batch of nodes should have only oneinput set to one while the other inputs are set to 0; the node set to 1represents the selected key.

During the enrollment mode, a batch of M actions will be collected andfed to the behavior modeling neural network as a training data. Thefactor M representing the number of actions used for enrollment will bedetermined based on another factor D which represents the percentagecoverage of the collected digraphs combinations during the datacollection process. When this percentage reaches a specific pre-definedlimit, the collected data can be used for the enrollment process.

A simulation will run after the neural network has been trained withthis batch. This simulation will consist of a number of non redundantactions picked from the enrollment data. The result of this simulationwill be stored for each user as well as the training data, which will beused also in the verification stage.

A small batch of actions will be used in this stage to verify the useridentity; this batch will be added to the training batch of the user'sneural network, resulting a network with different weights. The effectof the small batch on the network weights represent a deviation from theenrollment network. In order to measure this deviation, anothersimulation will run on this network with the same batch prepared for theenrollment process for the specific user. By comparing the result ofthis simulation to the enrollment stage result, the deviation can bespecified. An approach that can be used here is to calculate the sum ofthe absolute difference of the two results, if this deviation is low(within a specific limit) then the collected sample is for the sameuser, if not then this sample is for another user.

Our second proposed approach is based on tri-graph analysis, we namethis approach as “Key Oriented” approach because it is based onassigning a neural network for each monitored key on the keyboard. Theneural network used in this approach is similar to the one described inthe previous section. The training procedure requires passing thetri-graph start key, end key, and the elapsed time to the network. FIG.21 gives an example of how multi network is utilized in the enrollmentor detection phases.

Coverage matrix is a three dimensional matrix which is used to store thenumber of occurrences of the observed tri-graphs in the enrollment mode.Keeping track of such information helps in different areas such as inevaluating the overall coverage of the enrollment process and thedevelopment of a customized enrollment scenario which can be used incase of low coverage. It also helps in the approximation technique whichis explained in the next section.

In order to develop a technique to help in minimizing the amount of dataneeded for the enrollment process, the needed information from theinformation detected so far should be extracted.

Approximation matrix, which is a two dimensional matrix, represents therelations between the keys and how close or far they are from eachother. The matrix will be initialized with numbers representing theactual distances between the keys on the keyboard.

FIG. 22 illustrates how the approximation process is performed. Letsassume that an approximation for the EB digraph is needed, we can detectthat directly from its corresponding value in the coverage matrix (FIG.22 b). The approximation matrix will be used to locate alternativeentries (for each key) which have the lowest distance in the matrix; inthis case it will be (D,H) and (G,F) respectively.

From this step we can enumerate the tentative approximations, in thiscase it is DG, DH, FG, and FH. In the next step the distance of eachcombination will be calculated from the approximation matrix (underlinednumbers in FIG. 22 a), where they will be sorted according to theircloseness to the original distance of the approximated digraph(AppMatrix(EB)=3). The sorted result is (FH, DG, DH, FG).

The Coverage matrix may be used to make the final decision out of thesorted result. The matrix in FIG. 22 b shows only the weights of thetentative combinations. Notice that digraph FH has a coverage of 30which means that it is a good candidate (the best fit in this case). Thesecond alternative DG also has good coverage, while DH's has arelatively low coverage.

1. A behavioral biometrics-based user verification system for use with amotion-based input device, said system comprising a data interceptionunit for receiving inputs from a user, a behavior analysis unitoperatively coupled to said data interception unit, and a behaviorcomparison unit operatively coupled to said behavior analysis unit,wherein said system translates behavioral biometrics information intorepresentative data, stores and compares different results, and outputsa user identity result.
 2. The user verification system of claim 1,wherein said system is suitably configured for dynamic monitoring. 3.The user verification system of claim 2 wherein the dynamic monitoringis suitably configured for passive data collection.
 4. The userverification system of any one of claims 1 to 3, wherein said system issuitably configured for real-time monitoring.
 5. The user verificationsystem of any one of claims 1 to 4, further comprising securecommunication protocols operatively coupled to said data interceptionunit.
 6. The user verification system of any one of claims 1 to 5,wherein said data interception unit is configured to identify data froma mouse as one of movement, drag and drop, point and click, and silence,such that in use, said system receives data from a mouse.
 7. The userverification system of claim 6, wherein said data interception unit isfurther configured to characterize movement based on at least one ofaverage speed, average traveled distance, and direction of movement. 8.The user verification system of any one of claims 1 to 6, wherein saiddata interception unit is configured to identify actions from a keyboardon the basis of dwell time and flight time such that in use, said systemreceives data from a keyboard.
 9. The verification system of claim 7 or8, wherein said data interception unit is further configured to identifyaction from a mouse as one of movement, drag and drop, point and click,and silence, such that in use, said system receives data from a mouseand from a keyboard.
 10. The user verification system of claim 9,wherein said data interception unit is further configured tocharacterize mouse movement based on at least one of average speed,average traveled distance, and direction of movement.
 11. A method ofcharacterizing a user comprising the steps of moving a motion-basedinput device, collecting data from said device, processing said data,and modeling said data using suitably selected algorithms to develop asignature for a user.
 12. The method of claim 11, further comprisingcomparing said signature with a signature of an authorized user.
 13. Themethod of claim 11 or 12, further comprising filtering said data afterprocessing and before modeling to reduce noise.
 14. The method of anyone of claims 11 to 13, further comprising passively collecting data.15. The method of any one of claims 11 to 14, further comprisingcollecting, processing and modeling said data in real-time.
 16. Themethod of any one of claims 11 to 15, further characterized as moving amouse, collecting data from said mouse, processing said data, andmodeling said data using suitably selected algorithms to develop asignature for a user.
 17. The method of claim 16, wherein saidcollecting data further comprises characterizing movement based on atleast one of average speed, average traveled distance, and direction ofmovement.
 18. The method of any one of claims 11 to 15, furthercharacterized as using a keyboard, collecting data from said keyboard,processing said data, and modeling said data using suitably selectedalgorithms to develop a signature for a user.
 19. The method of claim18, wherein said collecting data is further comprises characterizingmovement based on flight time and dwell time.
 20. The method of claim 18or 19, further comprising collecting data from a mouse, processing saiddata and modeling said data using suitably selected algorithms todevelop a signature for a user based on both mouse and keyboard data.21. The method of claim 20, wherein said collecting data furthercomprises characterizing movement based on at least one of averagespeed, average traveled distance, and direction of movement.